mirror of
https://github.com/labwc/labwc.git
synced 2025-10-29 05:40:24 -04:00
img: fix UAF on Reconfigure by refcounting
Before this commit, there was a use-after-free bug on Reconfigure: - theme_finish() destroys lab_imgs for titlebar icons - For some reason, undecorate() calls _create_buffer() in scaled-img-buffer.c, which calls img_render() on a destroyed lab_img. So in this commit, the lifetime of lab_img is expanded to when the scaled_img_buffers referencing it are all destroyed. This is achieved by calling lab_img_copy() when setting a lab_img to scaled_img_buffer and calling lab_img_destroy() when clearing a lab_img. Now that scaled_img_buffer.img are always different, lab_img_equal() is added to compare the content of scaled_img_buffer.img.
This commit is contained in:
tokyo4j
Consolatis
parent
90a8c3e793
commit
70fb713874
6 changed files with 32 additions and 11 deletions
|
|
@ -3,6 +3,7 @@
|
|||
#define LABWC_IMG_H
|
||||
|
||||
#include <cairo.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <wayland-util.h>
|
||||
|
||||
|
|
@ -72,4 +73,9 @@ struct lab_data_buffer *lab_img_render(struct lab_img *img,
|
|||
*/
|
||||
void lab_img_destroy(struct lab_img *img);
|
||||
|
||||
/**
|
||||
* lab_img_equal() - Returns true if two images draw the same content
|
||||
*/
|
||||
bool lab_img_equal(struct lab_img *img_a, struct lab_img *img_b);
|
||||
|
||||
#endif /* LABWC_IMG_H */
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue